IA-5 Authenticator Management

Description

Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length).

In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk.

The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3 and AC-6 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges).

Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example:

1. minimum password length,
2. password composition,
3. validation time window for time synchronous one-time tokens, and
4. number of allowed rejections during the verification stage of biometric authentication.

Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately.

Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.

Applicability

This Control also applies to any other entity that uses university information resources that require authentication.

The intended audiences are university employees who are required to ensure that password-based authentication procedures are followed (e.g., unit heads, information resource owners and custodians); and those individuals who need to be aware of the procedures (e.g., non-technical university employees, staff, faculty, student, guest, or visitor).

Implementation

TAMU-CC manages information system authenticators by:

1. Defining initial authenticator content. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
2. Establishing initial authenticator content for authenticators defined by the organization;
3. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
4. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
5. Changing default content of authenticators prior to information system installation;
6. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
7. Changing/refreshing authenticators every one hundred eighty (180) days;
8. Protecting authenticator content from unauthorized disclosure and modification;
9. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
10. Changing authenticators for group/role accounts when membership to those accounts’ changes.

Requirements for password complexity based on type of user:

1. Ensure that passwords comply with the following:
   1. Individual interactive account (student, faculty, staff, and affiliate)
      1. Generation: user-chosen or randomly generated by algorithm
      2. Expiration: 180
      3. Minimum Length: 8 characters
      4. Required Complexity. At least three of the following five:
         1. Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
         2. Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
         3. Base 10 digits (0 through 9)
         4. Non-alphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
         5. Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
      5. History: 10 passwords
      6. Min Age: 1 day
   2. Administrative Interactive account (.admin, _admin or admin for systems that require a local administrative account)
      1. Generation: user-chosen or randomly generated by algorithm
      2. Expiration: 180
      3. Minimum Length: 12 characters
      4. Required Complexity. At least three of the following five:
         1. Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
         2. Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
         3. Base 10 digits (0 through 9)
         4. Non-alphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
         5. Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
      5. History: 10 passwords
      6. Min Age: 1 day
   3. Service Accounts
      1. Generation: Randomly generated by algorithm
      2. Expiration: Never
      3. Minimum Length: 24 chars
      4. Required Complexity. At least three of the following five:
         1. Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
         2. Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
         3. Base 10 digits (0 through 9)
         4. Non-alphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
         5. Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
      5. History: 10
      6. Min Age: 1 day
2. Other precautions should be taken where feasible and relevant:
   1. Limit login to specific source IP address(es);
   2. Turn off interactive login.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019